The Rise of Adversary Emulation

In this blog post, we will discuss a fairly new concept that has been gaining a lot of traction recently: Adversary Emulation. Adversary emulation aims to test a network’s resilience against advanced attackers or advanced persistent threats (APTs). To do so, the adversary’s tactics, techniques, and procedures (TTPs) are emulated along the cyber kill chain, leading deeper into the target network on to the objectives or flags. Also, this was about the maximum number of buzzwords we could fit into one paragraph without it starting to sound ridiculous.

Evidence of the popularity of adversary emulation can be seen in the rise of tools aimed at automating this type of testing.

Bloodhound + GoFetch
Bloodhound has been around for a while now and facilitates lateral movement and privilege escalation in an Active Directory environment. It maps relationships between groups, users, devices, sessions, and ACLs. Given a Bloodhound graph, GoFetch auto-powns systems towards the destination, dumping credentials and passing hashes along the way.

Empire + DeathStar
Empire (a very well-known post-exploitation toolkit) uses agents to control compromised machines and execute attacks ranging from privilege escalation and credential theft to lateral movement and persistence. Hello there, cyber kill chain. With DeathStar on top, you get another combination that automatically maps an attack path and starts compromising until you become domain admin.

Caldera
Caldera is another automated adversary emulation tool, focused on post-compromise adversarial behavior. It has a planning system that allows it to “decide” the next best action to take based upon its current knowledge of the environment and the actions available at a given point in time. Created by MITRE, the actions are based on their ATT&CK framework (Adversarial Tactics, Techniques & Common Knowledge).

Red Team Automation (RTA)
This framework makes use of Python scripts that emulate over 50 tactics defined in MITRE’s ATT&CK framework. As such, it is well-suited to test your blue team’s detection capabilities against the TTPs used by the adversary of your choice.

Atomic Red Team (ART)
Very similar to RTA above, ART consists of atomic tests mapped to the ATT&CK framework. Next to Powershell, ART can be automated using a Ruby API as well.

Some of these tools seem more fit for offensive purposes, while others are more focused on defensive use cases (even though their name would suggest otherwise). Here we see that the emerging trend of adversary emulation can benefit both sides of the spectrum. Offense or defense, with adversary emulation, red and blue teams have found a common ground. Purple teaming was born. It probably looked a bit like this:

While red teaming and purple teaming are both useful forms of adversary emulation, in practice they have different goals and objectives:

Red team engagements are typically focused on assessing how resilient (including prevention, detection & response to threats) organisations are against a simulated threat. This means that the red team usually tries to stay under the radar (undetected by the blue team) for as long as possible. Feedback is provided at periodic intervals (status updates) and a debrief session or workshop follows at the end of the engagement.

Purple team engagements are typically focused on improving resilience (including prevention, detection & response to threats) of organisations against a simulated threat. This means that the red team works closely together with the blue team throughout the engagement, testing out different techniques and attack scenarios. Feedback is provided immediately, in order to improve the organisation’s security posture (both preventive and detection controls).

As indicated above, both approaches can offer value to organisations, depending on the maturity of the organisation and the objectives of the engagement. For example, a red team engagement where the red team obtains the majority of flags (i.e. successfully executes the threat scenarios) can bring a useful shock effect to prioritize security efforts (typical example: “OMG, they got Domain Admin!”). A successful purple team engagement on the other hand, could bring tremendous value if the blue team can improve on its security posture by working together with the red team throughout the engagement.

At NVISO, we have a proven track record in adversary emulation, which is built on our years of experience in red team (penetration testing, security assessments, etc) and blue team (security monitoring, threat hunting, incident response, etc) work. Don’t hesitate to get in touch if you want to learn more, or join one of the upcoming runs of the new SANS course “SEC599 – Defeating Advanced Adversaries – Purple Team Tactics & Kill Chain Defenses”, a purple teaming course authored by one of our experts!